ing 


Break 


Artem Bachevsky 


Yandex 


5 
N 
i: 
& 
po 
H 
S 
o 


+b ttt TES 
Set de cda de de de de 
TÓCEXEEM HH 
bla de où de edad de 4 
T ERA EE 
+? 
de de ele de y 


whoami 


* Software developer -> AppSec Expert 
* Licensed software user 

* Cybersecurity researcher 

* Ofrydaykg 


What we'll talk about 


* What, from what, and how we are protecting? 
* And how do they break us? 
* And what can we resist in response? 


From what? 


* Protection against unauthorized use of programs is a 
system of measures aimed at countering the illegal use 
of software. When protecting, organizational, legal, 
software and software-hardware means can be used.(c) 
Wikipedia 


What? 


*The ability to use the software 


*The ability to use the software in agreed time intervals 
* Paid functionality 


* Our specific restrictions and limits 


Basic principles and objectives 


Choose a ratio of protection measures 
such as: 


e User UX doesn't suffer much 
* |t is expensive to break the defense 
*And user would be willing to pay... 


Software activation 


By object of applicability: 
* Thick client 
«Thin client(web) 


Software activation 


By approach: 

* Offline 

*Online 

* Local activation server 


Activation approach: offline 


Attacks 


* Via serial key 
distribution 
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Windows ? 


or 


Activation approach: offline 


But if must use offline activation then: 

* Use unique installers 

* Develop telemetry system 

«Upgrade your EULA and organizational measures 


You are offline 


Activation approach: online 


1. Fingerprint is generated ER 
2. Fingerprint gets to vendor RS 
TZR 


3. Vendor returns activation code a 
Y 
4. Code is entered into the program 11 
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Activation approach: 


Attacks 

* Keygens 

e Patching 

* Attacks on activation server 
* Environment emulation 


online 


Ahead Nero Burning ROM v6.3.0.0 Ultra Edition x 


prion 


Serial | 1A23-0037-8030-1891-5908-5963 


| Generate 
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qase study: attack on activation server 
*Online activation 
* Generating a signature hash of hardware => license 


* Check for hardware spoofing 


What could possibly go wrong? 
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qase study: attack on activation server 


Hacked by PhyRo 
O file in the root directory of server 
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qase study: attack on activation server 


A chain is as strong as the weakest link © 


Keep in mind: 
e Infrastructure security 
e Third-party dependencies 


Or 


Software activation 


By uniqueness of an object: 
e Unique installer 

* Hardware 

* OS user profile 

* Application account 
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Software activation: unique installer: 
Ideal best case: 
*Online activation 

* Periodic online check 


Otherwise it will be a failure. 


But now it is possible to track software Spreuuniy. 
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Software activation: hardware 


Principle: 
. Collect a set of unique hardware parameters 
. Hash them 

. Vendor signs a hash 

. Signature is a license 


. Software periodically generates a hash and compares 
it to the signature 
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Klase study: hardware spoofing 


* Thick client 
* Hardware binding 
*Semi-online activation 


Looks good, doesn't it? 


£ Hard Disk Serial Number Changer 


[umm 


x Hard Disk Serial Number Changer 


Disk (Hard / Floppy) Serial Number. 


== 1827-14CA {change} 


Serial Number format: 000-0, using HEX symbols 0-9, A, B, C, D, E, F 
After change serial number, please reboot PC to apply it correctly 
Disk serial number is generated by Windows when you format a disk partition 


http://w xboxhardrive.com Cose 
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qase study: hardware spoofing 


* Weak hardware metadata 
* Does a strong metadata exist at all? 
* Ability to run in virtual environment 


* Red Pill 
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Software activation: OS user profile 


We allow only one user per license to use the software, 
but also on multiple devices. 


Binding objects: OS user, its metadata 


root:x:0:0:root/root;bin/bash 
ETA RAS = 
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Software activation: OS user profile 


In reality, in addition it takes into account: 


* Number of requested activations on various devices 
during the period 


*Similarity of usernames 


Attacks 
*Runtime emulation (OS username, transfer of license files) 
* Fraud with the number of activations per license 
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qase study: license transfer 


* A popular AppSec tool 


* License data stored in registry or settings file 


How to break it? 


BN 


qase study: license transfer 


e Track files and registry changes 
* Process monitor/strace 
* Calculate diff before and after activation 
* Find out the exact metadata for binding 
* Eyes 
* Decompilers 
* Make a patch for the registry, OS, file system 
*PROFIT!!1 
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Software activation: application account 


* Applicable to thin clients 
* Almost always solutions require access to the Internet 


* Activation = the fact of signing-in the service with a 
specific login 
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Software activation: application account 
My ideal licensing system: 
* We work in a thin client (web) 


*Licenses are purchased per user 


Where should | look as an attacker? 


Software activation: application account 
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Software activation: application account 


* Vulnerabilities 
* Checking permissions on the frontend 
* IDOR 
* Broken Access Control 
* Works on one account for many users 
* Works for many users through a single proxy server 
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Software activation: application account 


* AppSec practices 

* Security audit 

* Focus on business logic vulnerabilities in licensing issues 
* Behavioral analysis 

* Activity analysis 


Forward to the past 


mo 
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Forward to the past 


* System software malfunction 
* Spoofing system time for a process 
* RunAsDate utility 
* Checking with Internet time sources 
* Protection by metadata 
* |ssue date stamps on the license itself 
* Flags with timestamps on filesystem 
* Blocking the license in case of violation of the rules 
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You don't bring a knife to a gunfight 
If there is protection, then it can always be bypassed. 


Tools: 

e IDA Pro 
*Ghydra 
*Hopper 
* Radare2 
* ApkTool 
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qase study: binary patching 


Coolest action camera vendor sells video stabilization 
functionality 
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qase study: binary patching 


1. Object analysis 
2. Decompilation 
3. Patching 


Klase study: binary patching 
Tools are your friends 
*file 

* dotPeek 
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You don't bring a knife to a gunfight: 
protection 


e Obfuscation 

* Binary signing 

* Executable packers 

* Polymorphic software 


Cons 
* Not a panacea 
* There is a chance of making the quality worse 
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qase study : it's not always about technology 


* Windows of higher versions si 
* You can live without activation but... NI NN 
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Windows 7 
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qase study : it's not always about technology 


© Enter your confirmation ID 


The automated phone system will tell you what to enter. 
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Cancel 
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qose study : it's not always about technology 


*Think about all possible process branches 
*Low-hanging fruits will be picked first 
* Or even dig up potatoes [] 
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And how to live further? 


* Denial, Anger, ..., Acceptance 
* Know your user segment 
* Choose a protection model depending on specific risks 
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And how to live further with on-premise? 


* Binding to hardware 

*Semi-online activation 

* New version means new license 

* Code obfuscation and executable packers 
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And how to live further with online? 


*Thin clients solve all problems 

* But be aware of AppSec and business logic errors 
* It's time for everyone to be browser based IMHO 
* But if it's not applicable to you, then: 


* Keep track of the number of concurrently used 
instances 


* Analyze their behavior 
* Take organizational measures 


Leave your feedback! 
Artem @frydaykg Bachevsky You can rate the talk and give a 
feedback on what you've liked or 


e Yandex 
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